LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 06-04-2013, 03:11 PM   #1
kikinovak
Senior Member
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: Slackware, Slackware64
Posts: 1,841

Rep: Reputation: 917Reputation: 917Reputation: 917Reputation: 917Reputation: 917Reputation: 917Reputation: 917Reputation: 917
Block off China and Russia?


First of all, my apologies to all the chinese and russian Slackware users in this forum. But here goes.

I'm running a few dedicated servers for clients, with a handful of specialized services like library management or school management. It's all more or less running on LAMP servers and supposed to be accessed around here, meaning in South France.

I have many hostile connections on these machines, mostly brute force attempts, which I keep out with a couple of iptables rules limiting the number of connections per minute. Only I'm facing a real tsunami here, and I thought about a more radical solution.

Is there a way to block whole countries using iptables? I've tracerouted some folks back, and they seem to originate mostly from China and Russia, with the odd Nigerian IP.

Any suggestions?
 
Old 06-04-2013, 03:39 PM   #2
ttk
Member
 
Registered: May 2012
Location: Sebastopol, CA
Distribution: Slackware
Posts: 217
Blog Entries: 13

Rep: Reputation: 151Reputation: 151
I do something similar with some of my servers, using the "reject" function of the "route" utility.

For instance:
route add -net 46.29.250.0 netmask 255.255.255.0 reject

The real way to do this is with a firewall rule, but "route" has been good enough that I haven't bothered. Maybe someone else will show us how to do that, to both our benefits.

Last edited by ttk; 06-04-2013 at 03:43 PM. Reason: added route example
 
Old 06-04-2013, 03:46 PM   #3
ttk
Member
 
Registered: May 2012
Location: Sebastopol, CA
Distribution: Slackware
Posts: 217
Blog Entries: 13

Rep: Reputation: 151Reputation: 151
To see the address range(s) of the offending networks, run "whois" on the dotted IP address. For instance, "whois 46.29.250.191" shows that the address originates from a network owned by someone in Tallinn, Estonia, and has a range of 46.29.250.0 - 46.29.251.255.

The example command I gave in my previous post blocked the lower half of that range.
 
1 members found this post helpful.
Old 06-04-2013, 03:55 PM   #4
kikinovak
Senior Member
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: Slackware, Slackware64
Posts: 1,841

Original Poster
Rep: Reputation: 917Reputation: 917Reputation: 917Reputation: 917Reputation: 917Reputation: 917Reputation: 917Reputation: 917
I guess my main question would be: where would I get IP ranges from "problematic" countries?
 
Old 06-04-2013, 04:08 PM   #5
ttk
Member
 
Registered: May 2012
Location: Sebastopol, CA
Distribution: Slackware
Posts: 217
Blog Entries: 13

Rep: Reputation: 151Reputation: 151
Well, I just googled internet address ranges by country and several promising sites popped up, like:

http://www.nirsoft.net/countryip/

Also, if you unzip http://mixoftech.com/downloads/windo...all_script.zip you will find a file named windows_firewall_script/BlockList.txt which purports to contain all of the address ranges for China, Russia, and Iran. It's a start.
 
Old 06-04-2013, 04:47 PM   #6
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Undecided
Posts: 3,566
Blog Entries: 1

Rep: Reputation: Disabled
I use cloudflare services in front of my domain.
It has a county block mechanism in their/my control panel.

1 click and China is gone.
1 Click and India is gone.

I don't know if your hosts have A records but I'm pretty sure that's required since it involves changing your NSs at the Registrar.
 
Old 06-04-2013, 10:19 PM   #7
jefro
Guru
 
Registered: Mar 2008
Posts: 11,949

Rep: Reputation: 1481Reputation: 1481Reputation: 1481Reputation: 1481Reputation: 1481Reputation: 1481Reputation: 1481Reputation: 1481Reputation: 1481Reputation: 1481
Any way to just allow your known users instead of trying to block ranges?
 
Old 06-05-2013, 05:09 AM   #8
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
Quote:
Originally Posted by jefro View Post
Any way to just allow your known users instead of trying to block ranges?
I would agree that a whitelist is a better idea. Even if hack attempts seem to be coming from these countries, that doesn't mean that's where the hackers/crackers are.
 
Old 06-05-2013, 05:09 AM   #9
Nikosis
Member
 
Registered: Dec 2005
Location: In front of the monitor
Distribution: Slackware
Posts: 310

Rep: Reputation: 59
Quote:
Originally Posted by kikinovak View Post
I guess my main question would be: where would I get IP ranges from "problematic" countries?
Check here

Last edited by Nikosis; 06-05-2013 at 05:17 AM.
 
1 members found this post helpful.
Old 06-05-2013, 07:37 AM   #10
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,106

Rep: Reputation: 805Reputation: 805Reputation: 805Reputation: 805Reputation: 805Reputation: 805Reputation: 805
I've done it using lists such as given by @nikosis (in my case, http://www.countryipblocks.net/), using a little AWK program to format them into IPTABLES directives. Works wonderfully.

When I start to see crap coming from somewhere that would have zero interest in my servers, I simply block the entire country and be done with it. That might be harsh, but anyplace that encourages (or sponsors!) these sorts of activities I have no reason to allow them on the property as it were.

Don't forget Korea (both of them) and, possibly, Brazil (seen a lot of activity from them).

You may want to check Internet Storm Center https://isc.sans.edu/ for other candidates -- China seems to be the largest offender but, alas, there are (too many) others...

Hope this helps some.
 
Old 06-05-2013, 08:41 AM   #11
wildwizard
Member
 
Registered: Apr 2009
Location: Oz
Distribution: slackware64-14.0
Posts: 755

Rep: Reputation: 227Reputation: 227Reputation: 227
Quote:
Originally Posted by tronayne View Post
You may want to check Internet Storm Center https://isc.sans.edu/ for other candidates -- China seems to be the largest offender but, alas, there are (too many) others...

Hope this helps some.
You should include the US and Russia there.
 
Old 06-05-2013, 09:22 AM   #12
Darth Vader
Member
 
Registered: May 2008
Location: Romania
Distribution: DARKSTAR Linux 2008.1
Posts: 625

Rep: Reputation: 115Reputation: 115
Cool

Quote:
Originally Posted by kikinovak View Post
First of all, my apologies to all the chinese and russian Slackware users in this forum. But here goes.

I'm running a few dedicated servers for clients, with a handful of specialized services like library management or school management. It's all more or less running on LAMP servers and supposed to be accessed around here, meaning in South France.

I have many hostile connections on these machines, mostly brute force attempts, which I keep out with a couple of iptables rules limiting the number of connections per minute. Only I'm facing a real tsunami here, and I thought about a more radical solution.

Is there a way to block of whole countries using iptables? I've tracerouted some folks back, and they seem to originate mostly from China and Russia, with the odd Nigerian IP.

Any suggestions?
I believe that shutting down whole countries is a frakking bad practice, because you have also shutdown a very huge number of (posible) friendly users.

And, always you have a very elegant solution to close the gates, using ssh keys autentification and shutting down completely the ssh login access.

Also, there are methods of automatically blocking (also punctually) the users which attempts brute force attacks.

Take care and ... consider that blocking whole countries is considered a (very) xenophobic thing in the world of servers administration.

Last edited by Darth Vader; 06-05-2013 at 09:24 AM.
 
Old 06-05-2013, 10:38 AM   #13
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
Quote:
Originally Posted by Darth Vader View Post
Take care and ... consider that blocking whole countries is considered a (very) xenophobic thing in the world of servers administration.
I agree. I know many people blame China and Russia, but there is no proof that these hack attempts actually come from these countries. They can be routed through servers there and appear to be coming from there.

There are better, nicer, more elegant solutions. But, I guess nobody can be bothered.

If only people you know should be accessing your servers, then whitelist only them and block everyone else. If everyone else should be accessing your servers then use smart methods to detect attacks and block them automatically. I am very much against IP range banning. I have been the victim of this many times and in many places.
 
Old 06-05-2013, 12:26 PM   #14
Citramonum
LQ Newbie
 
Registered: Aug 2012
Distribution: Slackware 14.1
Posts: 16

Rep: Reputation: 1
I'm from Russia and I'm going to block France (both South and North) on my home router.
 
Old 06-05-2013, 12:34 PM   #15
rokytnji
Senior Member
 
Registered: Mar 2008
Location: Waaaaay out West Texas
Distribution: AntiX 13 , MacPup,Linux-Lite 2.0, SaliX
Posts: 2,795
Blog Entries: 18

Rep: Reputation: 895Reputation: 895Reputation: 895Reputation: 895Reputation: 895Reputation: 895Reputation: 895
Edited for being off topic.

Last edited by rokytnji; 06-05-2013 at 06:36 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to block IP range of China Russia and other countries. rahilmaknojia Linux - Security 15 08-03-2010 08:21 AM
LXer: MySQL founder asks China, Russia to stop Oracle LXer Syndicated Linux News 0 01-19-2010 01:10 AM
hi from Russia dr_sad LinuxQuestions.org Member Intro 4 12-23-2005 03:46 AM
script to block IPs from Korea, China, Taiwan?? latino Linux - Security 4 09-05-2005 10:57 PM


All times are GMT -5. The time now is 07:37 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration